Posted
by
Soulskill
on Friday June 24, 2011 @11:17AM
from the next-in-line dept.

garatheus writes "The folks at EA/BioWare sent out an email this morning (GMT +2) outlining that their older Neverwinter Nights forums had been hacked, with a fair amount of user information stolen from the database — the likes of user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates. They do go on to say that 'no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers.' There's no pointing of fingers as to who might have done the compromising, though."

Back when I signed up for their forum, like, I dunno, 6 or 8 years ago, I thought about this issue. At the end of the day, I decided that as long as they don't try some nonsense like invalidating my keys because *they* let them get stolen, I didn't care.

It's their forum, and their game keys. The keys don't protect me, they protect Bioware. They don't expose ANYTHING else of mine to any risk.

If they try to invalidate my keys for, e.g. online multiplayer, because of their stupidity in making people put the ke

I'll go contact a class-action lawsuit lawyerKeep us informed. You'll have no problem with that. The email addresses for everyone will be out shortly. Note: Mine is a spam bucket that I only check after I sign up for some site so don't send to it multiple times in one day.

...strange thing I have never played Neverwinter Nights, nor have I ever signed up on those forums. I believe everyone with an EA account for any game must have received this e-mail. Nice to at least see a company do a full disclosure quickly after a breach, rather than sitting on the info for a few weeks whole they "assess the damage".

Oddly enough, I played NWN when it first came out, and had an active forum account, yet I didn't get notification when they originally were hacked. Now I get an email to one of my EA accounts that isn't attached to any games, but not the other.

Two weeks ago, however, I started getting daily spam to that other EA account, which almost never got spam before (or at least never got spam that wasn't caught by google's filters). It's all related to "games" too, although it appears to be gambling/online casino spa

Actually it is harmful, while the company is out trying to figure out how and what got stolen the hackers are trying the stolen passwords on users email accounts and anywhere else that the user's email address pops up. Time is very important when dealing with these things so that the users can change their passwords as soon as possible.

Nice to at least see a company do a full disclosure quickly after a breach

You know what would really be nice? For a company to take a fucking look at their security and prevent this from happening. THAT would be nice. Seems like some amount of my information has been leaking on a weekly basis for months now.

Haha! Yes. Can't believe all the crap that is happening at the moment. It is not that hard to secure your IT systems. I guess all these companies have been sitting back and enjoying their free ride, up until now. But because everyone is being hacked, does even affect their reputation?

Well annoyingly for me I never had an account with NWN but I did create one for Dragon Age (required for DLC) and I still received the email. I'm not sure where that leaves me - if it was the NWN servers that were hacked does that mean my data is safe, or is this an admission that the hack is more widespread, or do they have no way to distinguish who signed up for what, or is it just cheaper and easier for them to spam everyone? Way to add a bucket load of ambiguity to the situation.

I got the email this morning but for the life of me don't know why. I'd never played nor heard of Neverwinter before I got the email.

Email below...

"We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers’ data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we

More likely it was some related game or game forum he signed up to. I got the email but my account was set up for DA:O and Dead Space 2, I've never played NWN. Seems like they're emailing everyone who has signed up for anything to do with their games, I don't know if that's just being cautious or if it's indicative that the leak might be wider than NWN players.

I generated a unique e-mail address for Bioware forums way back when NWN first came out. I started getting spam on that address in the last couple of weeks. So it's likely this didn't happen in the last couple of days.

Considering I only received an e-mail from BioWare last night its not old to me, or probably most other people who received it. I've never played NWN, but I have a forum account to get the ME2 "free DLC". Disconcerting how they are mailing everyone out of "an abundance of caution", seems like they can't be certain how much info the hackers got.

I would have far preferred them to have demonstrated an "abundance of caution" before they got hacked. Locking the stable door after the horse has bolted much? That's assuming they're actually even being more cautious (and not just covering their arses) since it didn't seem to prevent SOE getting hacked weeks after the PSN fiasco - how much trust can we put in their caution?

NWN1 is one of the few games that actually didn't suck. Bioware yanked all DRM except the CD key needed to get to use the multiplayer servers (which is perfectly acceptable), and supported the game for a very long time with not just fixes, but additional content.

It is sad to see this hacked -- one could easily get thousands of hours of entertainment with NWN1 just due to well written player made modules.

I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing.

Not to mention Bioware, who put out Dragon Age 2 - the game in which they literally use the same five dungeons, but pretend they're different dungeons, repeatedly (gee, isn't it odd how this noble's house is exactly the same as this NPC's house which is exactly the same as that brothel...). Maybe they made quality back in the day, but the latest offerings are definitely a case of phoning it in. I'm almost dreading to see what they're going to do with ME:3.

Single-player in NWN was pretty bland, but that wasn't its point. It let people with minimal map design experience create large, interesting worlds. Sure, it would still be rooms and crates and barrels (at least in the dungeons), but at that point it all depends on how well they can spin the story. And you could do a lot of nifty stuff there with scripts.

I never got into the MMO wave largely because for me it already happened back in NWN. I mostly played on Middle Earth servers which promoted strict rolepla

I believe that forum was shut down, and moved to Bioware's new Social site along with the Dragon Age and Mass Effect forums. If it's no longer possible to login and use that forum, the database probably should have been scrubbed of passwords and CD Keys and the like.

The forum was technically shut down, but remained available for archival purposes. Over the years there was a lot of information gathered and made available on that site. You could still find most of your answers to NWN there. But you are correct, some, if not all, of the information should have been scrubbed from the site.

I'm getting way too many of these e-mails lately. I've had multiple companies send me e-mails to inform me their servers have been compromised. One of my accounts on another server was compromised last week as well.

I think that my biggest concern isn't what they might get out of an individual account, but what type of information that they can put together through cross-referencing information derived from multiple compromised servers. Birth dates, secret questions that might open up other accounts elsew

Secret questions are one of my biggest bug bears - especially when so many sites use them as a way to, for instance, reset your account email address. 99% of the questions seem to be the same across multiple sites. In a very few occasions I've seen the option to create your own challenge and response, this seems to be a much more sane option as you can literally create a unique question (or set of questions) for every site, and you can tailor them to be far more difficult to guess (mother's maiden name must

mother's maiden name must be relatively trivial to track down for most folks these days.

Fortunately my mother's maiden name is GMgDcbkxfT1Mk6T4znV3IQ.

But this is a pain because no-one in their right mind should be giving correct answers to these insecurity questions, but then they becomes yet more passwords that you have to remember for all these different sites.

NWN was one of my favorite games, and one of the few I bothered to register on forums for. There was a lot of high-quality user generated content that was available. I was in their system, with CD keys, name, partial address, phone, (fake) DOB, etc.

About two months ago I decided to "clean up" my presence on the internet. Among other efforts, I went thru my mail archives for the last 7 years looking for references to anywhere I had created an account, posted messages, or had an identifiable presence.

Next, I created an anonymous, free Hushmail account. Just for paranoia's sake, I used a random proxy whenever I logged in there. I then logged in to every site that I had record of having an account on, recovering passwords if necessary. This included NWN forums.

Once back in, I changed all the login information to bogus info. Incorrect addresses, phony phone number, wrong dates of birth, random passwords and the disposable Hushmail e-mail address. Most sites needed confirmation on e-mail, so you just can't make something up.

The few sites that allowed it, I then deleted or disabled the account. Those that didn't are forever beyond my reach with false info and not tied to my e-mail address.

Only three remain, including Slashdot and GMail. I'm working on replacing GMail, and Slashdot I'll keep since it never had and valid personal info other than my e-mail (GMail) address.

Checking Hushmail shows I got a copy of the letter from EA, proving my efforts paid off. All the info is bogus. After July, waiting just to make sure I didn't miss anything, I'll let the Hushmail account expire and be purged.

My identifiable presence on the Internet will be only what I want it to be. With a little effort, privacy *can* be maintained regardless of what Messrs. Zuckerberg and Brin say.

Anyway, what's to say that some of the sites you have changed your login for (including possibly NWN) don't keep archived or backup records of previous email addresses, password hashes, addresses, etc?

Are you kidding? Have you seen the code quality and effort put into most websites? While I have no trouble believing Google or Facebook might keep histories or backups, most of the lesser sites just don't put that sort of effort or expense into their code and data. *MAYBE* a banking or investing site, but CNet

You should look at sneakemail. It allows you to pass out a disposable address. They handle the routing to the real email of your choice. One of the few email service I still pay for. It lets you pick out a problem email rather quickly.

I don't think the game generates any revenue for BioWare anymore, they've stopped doing expansions a long time ago, etc. CD keys are all compromised now as well - they were the last line of protection.
Can't they just make the sources available so all the fans can go on improving the game?

I think the engine it used was used by other companies, which may make things hard to opensource it... Kinda like the unreal engine being used in multiple titles... I certainly wouldn't mind seeing them open source it, but I just doubt it will happen...

I got one of those emails last night, and I presumed it to be some sort of phishing attempt, since I don't have actually have any account on EA's or Bioware's forums. I simply deleted the email without clicking the link.

I may have used that email to register the product, but that was the extent of it.